Happy Thanksgiving – and Don’t Panic

Why panic?

As the late Douglas Adams explained in his popular series about the history of long-distance travel, the two best-known English-language e-books for those venturing beyond our own solar system are the formal but unexciting Encyclopedia Galactica, and its more casually-written competitor The Hitchhiker’s Guide to the Galaxy (HHGttG).

Space travel can be a tricky business, and an encouraging guidebook can be a great comfort, especially for the budget-conscious traveler.

In Adams’s own words:

In many of the more relaxed civilizations on the Outer Eastern Rim of the Galaxy, the Hitchhiker’s Guide has already supplanted the great Encyclopedia Galactica as the standard repository of all knowledge and wisdom, for though it has many omissions and contains much that is apocryphal, or at least wildly inaccurate, it scores over the older, more pedestrian work in two important respects.

First, it is slightly cheaper; and second, it has the words DON’T PANIC inscribed in large friendly letters on its cover.

In an unfortunate contrast, advice in the cybersecurity industry doesn’t seem to work this way.

Academic papers in the cybersecurity field are often written in a formal but jargon-laden style, which makes them hard to appreciate (or even to follow at all) for outsiders.

Peer review tends to keep them scientifically or mathematically on track, but contemporary academic funding seems to depend on research papers talking themselves up.

Research reports therefore often include upbeat, low-science “executive summaries” that understandably make the funding bodies feel good about the money they have already handed over, and help to attract ongoing funding for the authors’ future work.

Unlike the Encyclopedia Galactica, these reports are deliberately pitched as super-exciting and un-pedestrian, and are frequently accepted as bulging with advice that is critical to our cybersecurity future and vital to implement at once, even by readers who almost certainly didn’t follow (or even bother to read) the content beyond the self-promotional material at the start.

PR cyber-drama

In another contrast, less formal articles about cybersecurity often take exactly the opposite approach to the laconic and easy-going HHGttG.

To avoid outright accusations of unethical behavior, dramatic cybersecurity articles rarely come with the words PANIC inscribed on the cover in unfriendly letters, but if you’re a cybersecurity cynic, you can be excused for behaving as if they do.

This sort of PR cyber-drama comes in regular bursts, often timed for maximum coverage to co-incide with popular times and seasons, including Halloween, Black Friday, the December holiday season, the New Year (Western and Eastern flavors, both now widely celebrated world-wide) and more.

The Western-style New Year is a particularly busy time for cyber-drama, with myriad Threat Reports coming out (mostly more of what happened last year, if you don’t have time to read them), Cybersecurity Predictions (mostly more of what happened this year), and Do These N Things Right Now, One Being to Buy Our Brand New Product listicles (mostly N-1 things that you’d have been wise to do last year, and the year before, and so on, long before the Brand New Product existed).

The good news is that if you ignore the hyperbole, the sales schpiel, the high drama, and the conspicuous lack of the words DON’T PANIC in friendly letters․․․

․․․then a lot of the advice in these reports, predictions and warnings is well-worth following, and has been for years.

Human-centric behavioral tips

Examples of effective and protective human-centered cybersecurity behavior include:

• If in doubt, don’t give it out. Never let someone you’re talking to, whether online or on the phone, squeeze you into revealing information you’d prefer to keep to yourself. Whether they use flattery, wheedling, or threats, you aren’t obliged to obey their demands for data. When signing up for services online, don’t fill in optional fields, and if a service makes it compulsory to hand over personal data it doesn’t strictly need, think again whether you want to sign up at all.
• Don’t ask the person at the other end to justify their legitimacy or identify themselves. If they’re the real deal, they’ll say, “I’m the real deal.” If they’re a scammer, they’ll say, “I’m the real deal,” so asking them proves nothing. Check details such as phone numbers, web addresses, and contact procedures using information already in your possession, such as printed contracts, previous official statements, or the back of your physical payment card.
• Seek a second opinion from someone you know, and like, and trust. Whether that’s a second-signature process for payment approvals in your workplace, or a knowledgeable friend you can ask offline for advice at home, a little caution goes an awful long way. Never accept someone else’s insistence on secrecy if you show an inclination to check up on their truthfulness. Scammers regularly drive a wedge between their victims and their friends and family, as a disruptive and destructive way of then driving a wedge between those victims and their money.
• Never believe someone who contacts you and claims to be investigating fraud against you. This is a popular trick with scammers that not only establishes a sense of urgency, but also gives them an apparent importance and legitimacy that they simply don’t have. Be aware that if a scammer has tried to manipulate you and failed because you’ve rumbled them, they will very often follow up by switching personas and pretending to be on your side to help you “track the scammers down.”
• Don’t install special software or enroll in a mobile device management (MDM) service because someone tells you to. Scammers often try to legitimize this trick by claiming that the app (or the MDM service, which may allow off-market apps to be installed by the scammers, even on iPhones) is unique to you and needs to be kept secret to avoid diluting the financial success it will generate. This is a special case of insisting on secrecy, making it sound as though you have been “specially selected,” when in fact you are merely the next potential victim on their list.

What to do?

The bad news, of course, is that despite the useful and actionable advice they may contain, a lot of these high-drama seasonal warnings imply, or at least invite their readers to infer, that these are seasonal precautions, and thus that you can let your guard down at other times.

Please don’t do that!

As Amos the Armadillo has already warned: Cybersecurity advice that’s worth following today is worth following in your ongoing digital life.

Don’t take the right precautions on Black Friday or Cyber Monday and then let your guard down on Tuesday!

If you’re a LinkedIn user and you’re not yet following @SolCyber, do so now to keep up with the delightfully useful Amos The Armadillo’s Almanac series. SolCyber’s lovable mascot Amos provides regular, amusing, and easy-to-digest explanations of cybersecurity jargon, from MiTMs and IDSes to DDoSes and RCEs.

Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way.

Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of HHGttG badge via Flickr, licensed under CC BY 2.0.

(The badge was given away with the HHGttG computer game of 1984. For old-school text adventure aficionados, the original source code of the game can be found and studied on GitHub. It’s written in a Lisp-like language called ZIL, itself derived from an AI language called MDL from the 1970s.)